Lenovo's Fingerprint Scanner Can Be Bypassed via a Hardcoded Password

Lenovo has issued an update to address a vulnerability in its fingerprint scanner app that it ships with ThinkPad, ThinkCentre, and ThinkStation models running Windows 8.1 or older version of Windows. From a report: Fingerprint Manager Pro is an application developed by Lenovo that allows users to log into Windows machines and online websites by scanning one of their fingerprints using the fingerprint scanner embedded in selected Lenovo products. "A vulnerability has been identified in Lenovo Fingerprint Manager Pro," said Lenovo in a security advisory published last week. "Sensitive data stored by Lenovo Fingerprint Manager Pro, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," the company said.

I'm surprised most companies permit this

[froggyjojodaddy]

A few years ago, Mythbusters had an episode where they showed how easy it was to fool fingerprint scanners into granting access.

The place where I work prohibits this via IT Policy and disables the fingerprint scanner on all laptops

Re:I'm surprised most companies permit this

[110010001000]

The two largest commercially available closed source operating systems have major security flaws that ship with the OS. Why would you care about a fingerprint scanner?

Re:I'm surprised most companies permit this

[jellomizer]

Bio-Metrics often require a targeted attack, meaning you need to know who you are copying. So someone will need to say I want this persons account, has to go threw steps to get their fingerprint, replicate it, go to the physical device and use it. Most companies even ones that value security see this as a good trade-off. Especially compared to passwords, where while in theory are safer, in practice people will hide their password underneath the keyboard (or worse on some file share), or make it too simple. So a random person such as a cleaner could find the password and use them to get in. Also once they have the password they can normally get in outside the office and remotely.

Just because mythbusters did it, they have access to a lot of resources, and are able to cut out failures.

Re:I'm surprised most companies permit this

[froggyjojodaddy]

I think most organizations (hopefully I'm not generalizing too much here..) are somewhat protected against OS level flaw attacks through anti-virus software, firewalls etc and the effort & knowledge required to take advantage of those flaws.

With fingerprint vulnerabilities, however, the problem is that almost anyone can fake a fingerprint with very little technical know-how. All you really need is a method of pulling the print and access to a good photocopier/scanner according to the Mythbusters test. Like most attacks, I'm guessing the majority of the risk comes from the inside rather than the outside.

Re:I'm surprised most companies permit this

[omnichad]

On a laptop, there are plenty of places right on the laptop itself you could lift a print from.

Re:I'm surprised most companies permit this

And yet once in a while I can't even convince my Lenovo to grant me access with my real fingerprint* - thanks Lenovo!

  *I think that's a Windows 10 thing to be fair, seems to be if I try to fingerprint too soon after waking the machine up, it gets in a weird state and won't play.

Re:I'm surprised most companies permit this

[froggyjojodaddy]

You make a good point. Although, watching the Mythbusters bypass it - it didn't seem to require a LOT of resources. With the exception of the ability to pull the print in the first place...

What about detectability? If someone attacks a network from the outside, there's likely multiple systems that can flag it and alert the admin or security team. If someone copies my fingerprint and unlocks my PC, I have no idea. In fact, it would not register on any alarm / monitoring system.

Of course, if someone has their password written down, then all bets are off - but that person must know, one some level, that writing down passwords is not a good idea.

Re:I'm surprised most companies permit this

[DickBreath]

The most widely used microprocessor has compromise ("Intel management engine") baked right into the hardware. Why would you care about the insecurity of the OS?

Re:I'm surprised most companies permit this

[110010001000]

What knowledge? There are one line exploits ready to made already out there. How would a firewall help?

Re:I'm surprised most companies permit this

[110010001000]

Excellent point! But check out the guy worried about a fingerprint scanner!

Re:I'm surprised most companies permit this

[froggyjojodaddy]

Hopefully I'm not coming across as a defender of fingerprint scanners or the problems with OS level flaws!

My point is simply that the effort required for my average co-worker to access my password-protected laptop is much lower to fool the biometric scanner than it is to exploit a flaw in the OS or the intel management engine.

Again, not talking about technically savvy people here - just the opportunistic person who watched Mythbusters and has sufficient motivation to unlock my PC with little to no detection risk.

Re:I'm surprised most companies permit this

[Baron_Yam]

>With the exception of the ability to pull the print in the first place...

Did the previously authenticated person clean the scanner surface? No? Oh, I just got their print.

That's why I like the 'swipe' version where you have to pull your finger across a narrow reader window instead of the imaging plate variant. At least then you have to work to get a good print off something else (which is actually pretty difficult when the person isn't deliberately trying to leave a print, contrary to what CSI would have you believe)

Re:I'm surprised most companies permit this

[rogoshen1]

it might be too soon to try your finger.. maybe put on some smooth jazz and give it a glass of wine?

Re:I'm surprised most companies permit this

[jellomizer]

The scanner on most laptops requires a swipe action, That prevents a single fingerprint to stick on the scanner. You have a better chance getting it from a door knob. Because other methods you normally will get get the tips of your fingers, vs the meat of you fingers the scanner takes.

Re:I'm surprised most companies permit this

[duke_cheetah2003]

The place where I work prohibits this via IT Policy and disables the fingerprint scanner on all laptops

If you're not going to use the scanner, why the heck are you buying laptops with them? They're optional in most models of laptop I've come across, and most models that CAN feature the finger print reader often don't. Why buy something if you're just going to disable it?

Re:I'm surprised most companies permit this

[SeaFox]

On a laptop, there are plenty of places right on the laptop itself you could lift a print from.

That's why I use my big toe as my fingerprint authentication device.

Re:I'm surprised most companies permit this

[Aighearach]

That may be the most widely used consumer CPU, but it is very very far from being the most widely used microprocessor. When you use the word "microprocessor," you're talking not only about CPUs but also every microcontroller and most ASICs. None of Intel's microprocessors are in the list of most used microprocessors. I doubt they even have an entry in the top 5!

Strange oversight to make while trying be the hardware guy in the conversation...

Re:I'm surprised most companies permit this

[Aighearach]

I have a recent thinkpad with the fingerprint scanner (I got it to play with and see if the linux software is any good, not to actually use; answer is no it is super-flaky).

It only scans a single line of pixels at a time. Not only do you have to swipe your finger across it, you have to do so at a precise speed. And the bezel around it isn't large enough to hold a print, so you have differing surface finishes all around that area.

The best place to lift a print would probably be on the bottom surface. It tends to be slightly elevated for airflow, and has lots of areas near the edge that are likely to be grabbed and hold prints.

Re:I'm surprised most companies permit this

[Aighearach]

If you let employees choose their own laptop features within a budget, they'll be a lot happier with the results and they'll complain less about problems. They will also choose features that you have to disable because they violate various company policies.

If you insert a step where somebody reviews their choices you lose a lot of the morale boost from letting them choose, because they didn't get to choose, they only got to ask.

If you have a bunch of java monkeys, just choose for them. If you have skilled professionals with individual skills that you want to retain, then you let them choose and you don't worry about the cost of useless features that you have to disable.

Re:I'm surprised most companies permit this

[Plus1Entropy]

writing down passwords is not a good idea

Your fingerprint is a password you "write" pieces of on everything you touch. And once compromised, you can't change it.

Re:I'm surprised most companies permit this

[froggyjojodaddy]

I'm not part of the purchasing team but I'll venture a guess that when buying a couple of thousand laptops at a time, you have certain specifications. Say a laptop meets all of those specs and you get a great deal on the price but it comes with a fingerprint scanner. You don't really care for the scanner but since you have the ability to disable it at the corp level, it doesn't matter.

So it's not quite a matter of purchasing a laptop with a scanner you'll never use. Rather, you're purchasing a laptop that otherwise meets your requirements but has a feature that you don't need but since it's within your budget parameters, you'll purchase it anyway.

You could argue that letting employees buy their own laptops is the solution but as someone who works for a 30k+ employee company, I can reassure you that's a finance / expense / support nightmare.

Re:I'm surprised most companies permit this

[DickBreath]

The number of ARM processors in use very probably already exceeds the number of Intel processors in use.

Quick experiment. How many PCs / Laptops do you have with "Intel Management Engine Inside!"?

Now, how many of the following do you have: Android smartphone, tablet, RoKu, WiFi router, Smart TV, Digital camera, GPS navigator device, Printer that has a web based configuration UI, or anything else with a web based configuration UI, and other things like Nest thermostats and other various gadgets.

Re:I'm surprised most companies permit this

[XSportSeeker]

You should dig a bit further into fingerprint reader technology before pulling all your conclusions from a Mythbusters episode... for good measure. Because they really aren't 100% safe today (nothing is), but not because of that Mythbusters episode.

Let me tell you something about this, if you are interested: the often misused Mythbusters episode is not from "a few years ago"... it's almost 12 years old now, from an episode aired in 2006 (http://www.discovery.com/tv-shows/mythbusters/mythbusters-database/fingerprint-scanners-unbeatable/), and it was tested against an external laptop fingerprint reader and an electronic lock fingerprint reader that uses older deprecated tech (optical). The ones used today are using an entirely different mechanism (active capacitance, among others)... well, at least the ones coming out in newer devices - like smartphones, security systems and whatnot.

Capacitance fingerprint reader, as well as newer technologies like multispectral and ultrasonic ones, are more secure than the old optical scanners. None of them are 100% secure, but most of them today wouldn't be broken by the technique used by Mythbusters back then. Some of them have been fooled by similar methods, but demanding a degree of precision that is impractical for most criminals to reproduce... like having an extremely high resolution scan of a fingerprint, making a 3d print using composite materials with multiple rounds of testing with very expensive 3d printers, stuff like that.

Which is to say, it's still spoof-able, but it'd probably be better for the criminal to just force someone to put their finger there instead of trying to recreate it from scratch. It could be done, but it'd require a whole lot of time, social engineering, specialized machinery and materials, and work.

Re:I'm surprised most companies permit this

[Aighearach]

Looking around the room and counting is not really a good system, in my case I've got at least 50 AVR processors within 10' and I doubt my computer monitor has more than 5 or 6 ARM cores.

And even the AMD motherboards often have media ICs with at least 2, probably 3 processor blocks made by Intel. Their most popular processors are probably ones that don't even have a consumer part number because they put the part number on the implemented application.

So while ARM is presumed way ahead, getting a count on either side would be hard. And clearly CPUs wouldn't be top ten. Even on their own motherboards they're outnumbered.

D'oh!

[VirginMary]

https://www.youtube.com/watch?...

Re:chinese communists

[DickBreath]

I expect it to have security standards that meet or exceed those of Windows 98.

And that's pretty darn high, since Windows 98 is way higher than Windows 10.

This is why I install Linux on every new PC

[aglider]

Maybe not everything works as expected, but at least it isn't leaking my stuff out!

Re: This is why I install Linux on every new PC

[Aighearach]

I've been using linux since the 90s, and I always tell people, don't use linux unless you know what you're doing, or don't know what an OS is.

Please don't use linux. There is nothing warm and fuzzy about it. The simple fact is that if you're not either a computer professional/enthusiast, or a very casual computer user, then you have no reason to use it. It will only be harder to use, and won't run most of your software.

If you're casual enough that you would never try to install software without help, you just want to use some basic office and internet functionality, then great, you can make good use of linux by having somebody set it up for you. As long as you don't want to change anything, it will Just Work for a long long time.

But if you're not an expert, and you want to be able to run random software on your computer, perhaps that you purchased in a box at a store, then please don't bother. Just use a consumer OS. Filling linux forums with your stupid questions is just going to frustrate you because you shouldn't even be asking for help. You don't even have a reason to be using it.

Never use software tools unless you have a use case for them. Read a book or something. Go for a walk.

Re: This is why I install Linux on every new PC

[ColaMan]

Bollocks.

Go and be an insufferable elitist boor elsewhere.

Re: This is why I install Linux on every new PC

[fisted]

It's not elitist, it's pretty much spot on.

Re: This is why I install Linux on every new PC

[Aighearach]

You might want to get an umbrella, the forecast calls for rain and I'm quite sure you'll drown with your nose held that high.

The thing you didn't comprehend about elitism is that people doing their own thing for their own reasons is actually good. Elitism is where they're keeping others out, not where they simply think it is good if people with low interest levels participate in the activity.

Its good you decided to spend a few seconds of your life to think about elitism for the first time. I commend your efforts, and I really hope you get a bit further into the issues next time.

Lenovo's security continues to improve.

When asked for comment, one Lenovo executive responded: “This is an excellent example of Lenovo’s continued commitment to improved security. At least this time we didn’t deliberately ship a rootkit.”

Re:Lenovo's security continues to improve.

[sabbede]

HAH! Nice one. I was just thinking about what a crap reputation Lenovo is building for itself. It's a shame really, IBM made a solid laptop before they decided to sell out to China.

Only one thing could make this story better

[93+Escort+Wagon]

Is the hard-coded password "hunter2"?

Backdoor eh?

[fox171171]

is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,"

So weak encryption and a backdoor. Just the kind of thing the FBI and others want.

hyperbolic

[ourlovecanlastforeve]

Modded down for sensationalist title.

This is only their older fingerprint scanners.

Current models do not have this exploit.

Re:Amazing!

[Aighearach]

And it's password is the same I have on my luggage!

The master key is the same as your luggage, too.

no big loss.

[140Mandak262Jamuna]

Their finger print scanners are crappy anyway, easy to fool. So a hard coded passw0rd! is more difficult to crack than cheating the fingerprint scanner.

Re:chinese communists

[DickBreath]

Because 10 < 95 < 98.

Therefor it follows that Win 10 < Win 95 < Win 98.